[c-nsp] IP sec tunnel , two IPs same interface
Jessup, Toby
Toby.Jessup at qwest.com
Fri Aug 19 19:38:49 EDT 2005
Another solution is to eliminate IPsec entirely and just run plain-old
GRE over the Internet. But only crazy people would ever do that ....
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcus Keane
Sent: Friday, August 19, 2005 4:22 PM
To: Ashe Canvar
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IP sec tunnel , two IPs same interface
Ashe,
As Luan has already suggested, use tunnel protection not crypto maps.
You can then source one tunnel from the primary and another from the
secondary. ISAKMP will just follow this. The command is "tunnel
protection ipsec profile myprofile" on the tunnel interface. Marcus
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ashe Canvar
Sent: Saturday, 20 August 2005 1:32 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IP sec tunnel , two IPs same interface
Thanks all you guys . Here is the exact config :
!
interface Tunnel41
description tunnel to vpnrt2.nyc
ip address 10.17.1.17 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1300
ip ospf cost 15000
ip ospf hello-interval 2
tunnel source AAA.AAAA.209.250
tunnel destination BBB.BBB.217.250
tunnel path-mtu-discovery
crypto map VPN
!
interface FastEthernet0/0.100
description tunnel endpoint
encapsulation isl 100
ip address AAA.BBB.209.250 255.255.255.0 secondary
ip address YYY.XXX.158.4 255.255.255.128
no ip redirects
no ip proxy-arp
no snmp trap link-status
crypto map VPN
!
So the problem is that even though the " tunnel source AAA.AAAA.209.250"
command is enabled on the tunnel41 interface, it picks up the
"YYY.XXX.158.4" ip to initiate isakmp. This is not what I want because I
PBR the AAA.AAAA.209.250 IP and want the tunnel to take that specific
path.
vpnrt1.sjc#sho crypto isakmp sa
...
BBB.BBB.217.250 XXX.YYY.158.4 MM_KEY_EXCH 3807 0
...
Here are my responses to the suggestions so far:
1. You can't terminate Tunnels on loopback interfaces because the crypto
map has to be applied to the incoming interface ( have tried that ).
2. Both IPs are in the same VLAN ( limitation of the architecture) so
making 2 dot1q sub interfaces in different vlans is not fesiable.
However, Can i have 2 sub-interfaces in the same dot1q or isl vlan ?
3. Derek, it would be awesome if you could dig up the global command.
But still the issue is that i want to terminate some tunnels on
AAA.BBB.209.250 and others on YYY.XXX.158.4.
Thanks again,
Regards,
-ansh
On 8/19/05, Antonio Querubin <tony at aloha.net> wrote:
> On Thu, 18 Aug 2005, Ashe Canvar wrote:
>
> > I need to terminate an GRE/IPsec tunnel on a router with only 2
> > ethernet interfaces. The inside interface has rfc1918 address and
the
> > external interface has a routable IP. The problem is that I want to
> > add a second IP to this interface to terminate a different tunnel
> > (this IP is from a different ISP).
> >
> > I have tried doing a secondary IP on the same interface but this
does
> > not work. "sho cry isakamp sa" always shows the connection attempt
> > being made from the primary ip.
> >
> > Any way around this ? Can i make two sub interfaces be in th same
vlan
> > and terminate the VPN on these instead of using the secondary ips ?
>
> Have you considered using multiple loopback interfaces for the tunnel
> endpoint?
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list